November 8, 2024 | Policy Brief

U.S. and Israel Expose Iran’s Tenacious Malign Influence

November 8, 2024 | Policy Brief

U.S. and Israel Expose Iran’s Tenacious Malign Influence

The FBI, the U.S. Department of the Treasury, and the Israel National Cyber Directorate published a joint cybersecurity advisory on October 30 detailing new tradecraft and operations by Emennet Pasargad, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps. The detailed discussion of Iranian tradecraft in this report can strengthen global efforts to combat Iran’s malign influence, thus demonstrating the benefits of close collaboration between America and its democratic allies when combating malign influence from common adversaries.

Emennet Pasargad, which now operates under the company name Aria Sepehr Ayandehsazan (ASA), is one of Iran’s most tenacious threat actors, having conducted multiple prominent cyber and influence operations in support of numerous malign actors, including Hamas.

For example, ASA published the private information of Israeli Olympians to scare the athletes and the Israeli public; attempted to contact the families of Israeli hostages in Gaza to inflict more trauma; and sent out mass text messages seeking to incite Muslim protests in Sweden following the burning of Qurans by political extremists.

ASA also attempted to interfere with the 2020 U.S. presidential election — prompting Treasury sanctions, a Department of Justice indictment, and a State Department award of $10 million for any information leading to the identification or location of its leadership. On October 23, 2024, Microsoft revealed that the group conducted reconnaissance and limited probing against election-related websites in several swing states in April 2024.

The joint advisory reveals several significant developments in ASA’s tradecraft. ASA had previously conducted hack-and-leak operations primarily to steal and then publicize sensitive information, thereby causing psychological, reputational, and financial harm. Now ASA uses commercially available artificial intelligence tools to generate and enhance images and audio for its operations. Among other tactics, the advisory details how ASA creates front companies to purchase web hosting services from unsuspecting foreign companies. ASA then uses some of the infrastructure for its own cyber and influence operations. The group provides the rest to other Iranian terrorist proxies, including Hamas and Hezbollah.

The advisory also details how ASA gathers sensitive information without using cyberattacks, instead relying on open-source intelligence-based reconnaissance methods. To research specific individuals, ASA uses commercially available identification tools and services as well as publicly available data from social media and from genealogy services such as ancestry.com. Iran presumably does this in preparation to launch further cyber or physical attacks.

ASA also uses specialized search engines to identify exposed internet-connected cameras to gather visual intelligence on sites, the locations of which remain undisclosed in the joint advisory. The advisory warns that in the wake of Hamas’s attack on Israel on October 7, 2023, ASA harvested from cameras across Israel.

In releasing such a detailed advisory, thereby enabling private companies and other governments to take steps to mitigate Iranian operations, the United States and Israel demonstrate the value of international collaboration on investigation and attribution of cyber and influence operations. At the same time, America and its allies should take further steps to make it more difficult for Iran and other adversaries to conduct these operations, by signing new information-sharing and cooperation agreements.

By creating a stronger regulatory environment, Washington and other governments could undermine Iran’s use of front companies to access base-level internet infrastructure such as data centers. While many managed hosting providers already require the completion of know-your-customer forms by consumers seeking to purchase domains and rent out servers, these processes are porous. Mandating a more stringent registration process for firms that directly provide hosting infrastructure for clients would empower the United States and its allies to better catch fronts like the ones used by Iran in these operations.

Max Lesser is the senior analyst on emerging threats at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Ari Ben Am is an adjunct fellow at the center. For more analysis from the authors, CCTI, and FDD, please subscribe HERE. Follow Ari on X @ari_ben_am. Follow FDD and CCTI on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on foreign policy and national security.

Issues:

Issues:

Cyber Iran Israel Sanctions and Illicit Finance U.S. Defense Policy and Strategy

Topics:

Topics:

Federal Bureau of Investigation Gaza Strip Hamas Hezbollah Iran Islamic Revolutionary Guard Corps Israel Microsoft Corporation Muslims Quran Sweden United States United States Department of Justice United States Department of State United States Department of the Treasury Washington